Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Roll-your-own API Management Platform with NGIN...

Sean Cribbs
September 24, 2015
Technology
10
1.1k

Roll-your-own API Management Platform with NGINX and Lua

We recently replaced a proprietary API management solution with an in-house implementation built with NGINX and Lua that let us get to a continuous delivery practice in a handful of months. Learn about our development process and the overall architecture that allowed us to write minimal amounts of code, enjoying native code performance while permitting interactive coding, and how we leveraged other open source tools like Vagrant, Ansible, and OpenStack to build an automation-rich delivery pipeline. We will also take an in-depth look at our capacity management approach that differs from the rate limiting concept prevalent in the API community.

Sean Cribbs

September 24, 2015
Tweet

More Decks by Sean Cribbs

See All by Sean Cribbs
Adopting Stream Processing for Instrumentation
seancribbs
1
360
Supervisors, Links and Monitors
seancribbs
0
92
Getting the Word Out: Membership, Dissemination, and Population Protocols
seancribbs
0
340
Reliable High-Performance HTTP Infrastructure with nginx and Lua
seancribbs
0
570
The Refreshingly Rewarding Realm of Research Papers
seancribbs
0
360
Techniques for Metaprogramming in Erlang
seancribbs
2
1.4k
The Final Causal Frontier
seancribbs
6
910
Erlang - Building Blocks for Global Distributed Systems
seancribbs
4
790
A Brief History of Time in Riak
seancribbs
4
1.7k

Other Decks in Technology

See All in Technology
いまさらのStorybook
ikumatadokoro
0
150
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
290k
君は隠しイベントを見つけれるか?
mujyun
0
300
現地でMeet Upをやる場合の注意点 〜反省点を添えて〜
shotashiratori
0
530
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
27
12k
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
220
Autify Company Deck
autifyhq
1
39k
Amazon_CloudWatch_ログ異常検出_導入ガイド
tsujiba
4
1.6k
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
220
Jr. Championsになって、強く連携しながらAWSをもっと使いたい!~AWSに対する期待と行動~
amixedcolor
0
190

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
228
52k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
GitHub's CSS Performance
jonrohan
1030
460k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Music & Morning Musume
bryan
46
6.1k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Designing the Hi-DPI Web
ddemaree
280
34k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
4 Signs Your Business is Dying
shpigford
180
21k

Transcript

  1. Roll-your-own API Management Platform 
 with NGINX and Lua Sean

    Cribbs, Comcast Cable @seancribbs

  2. About me

  3. Background

  4. None

  5. Consumer

  6. Internal Consumer

  7. Partner Internal Consumer

  8. API Management

  9. API Management access control capacity management

  10. CodeBig 1 API Consumer

  11. CodeBig 1 API Consumer CDN • traffic shaping • caching

  12. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM

  13. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM Internet Comcast LB • DNS RR • VIP

  14. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM • DMZ intermediary • path-host mapping iAuth Internet Comcast LB • DNS RR • VIP

  15. CodeBig 1 API Consumer CDN • traffic shaping • caching

    • access control • rate limiting Vendor APIM • DMZ intermediary • path-host mapping iAuth Internet Comcast Origin APIs LB • DNS RR • VIP

  16. Challenges

  17. Challenges visibility

  18. Challenges visibility responsibility

  19. Challenges visibility responsibility scope

  20. Challenges visibility responsibility scope latency

  21. Challenges visibility responsibility scope latency security

  22. CodeBig 2

  23. CodeBig 2 simplify architecture

  24. CodeBig 2 simplify architecture increase visibility

  25. CodeBig 2 simplify architecture increase visibility use open-source tools

  26. Architecture

  27. custom  logic HTTP Proxy

  28. Lua

  29. -­‐-­‐  Validates  the  OAuth  signature   -­‐-­‐  @return  Const.HTTP_UNAUTHORIZED  if

     either  the  key  or  signature  is  invalid   -­‐-­‐  this  method  is  internal  and  should  not  be  called  directly   function  _M.validate_signature(self)          local  headers  =  self.req.get_oauth_params()          local  key  =  headers[Const.OAUTH_CONSUMER_KEY]          local  keyconf  =  self.conf.keys[key]          if  keyconf  ==  nil  then                  return  {                          code  =  Const.HTTP_UNAUTHORIZED,                          error  =  Const.ERROR_INVALID_CONSUMER_KEY                  }          end          local  sig  =  get_hmac_signature(self.req,  keyconf.secret)          if  sig  ~=  headers[Const.OAUTH_SIGNATURE]  then                  return  {                          code  =  Const.HTTP_UNAUTHORIZED,                          error  =  Const.ERROR_INVALID_SIGNATURE                  }          end   end

  30. Lua < 3K LoC!!

  31. Intra-Datacenter VIP

  32. Intra-Datacenter VIP haproxy haproxy …

  33. Intra-Datacenter VIP … haproxy haproxy …

  34. Intra-Datacenter VIP Origin APIs … haproxy haproxy …

  35. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter

  36. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter dc1-­‐vip.    

             A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1

  37. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1

  38. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1 vod-­‐dc1.              CNAME      dc1-­‐vip. vod-­‐dc2.              CNAME      dc2-­‐vip.

  39. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1 vod-­‐dc1.              CNAME      dc1-­‐vip. vod-­‐dc2.              CNAME      dc2-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc1-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc2-­‐vip.

  40. DC3 VIP DC2 VIP DC1 VIP Cross-Datacenter vod vod acct

    acct dc1-­‐vip.              A              10.1.0.1 dc2-­‐vip.              A              10.2.0.1 dc3-­‐vip.              A              10.3.0.1 vod-­‐dc1.              CNAME      dc1-­‐vip. vod-­‐dc2.              CNAME      dc2-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc1-­‐vip. vod-­‐dc1-­‐fo.        CNAME      dc2-­‐vip. vod.                      CNAME      vod-­‐dc1. vod.                      CNAME      vod-­‐dc2.

  41. Capacity Management

  42. N = XR

  43. N = XR # concurrent requests

  44. N = XR # concurrent requests transaction rate

  45. N = XR # concurrent requests transaction rate response time

  46. N = XR # concurrent requests transaction rate response time

    Little’s Law

  47. client origin APIM 2 req/s 1s N = XR =

    2 req/s x 1s = 2 req

  48. client origin APIM 2 req/s 10s N = XR =

    2 req/s x 10s = 20 req

  49. client origin APIM 2 req/s 10s N = XR =

    2 req/s x 10s = 20 req

  50. Concurrent Request Limiting lua_shared_dict            

     counts    50M;   access_by_lua          …      +1   log_by_lua                …      -­‐1

  51. Testing

  52. function  TestOAuth1:test_reject_request_when_timestamp_expired()          -­‐-­‐  default  timestamp  is

     01/01/2014  UTC  so  it's  definitely  stale          local  conf  =  Conf:new({validate_timestamp  =  true,  ttl  =  300})          local  header  =  Header:new()          local  req  =  Req:new({oauth_params  =  header})          local  oauth  =  OAuth1:new(conf,  req)          local  res  =  oauth:authorize()          assertEquals(res.code,  Const.HTTP_UNAUTHORIZED)          assertEquals(res.error,  Const.ERROR_EXPIRED_TIMESTAMP)   end   lu  =  LuaUnit.new()   lu:setOutputType("tap")   os.exit(lu:runSuite())

  53. ngx.log(ngx.ERR,  “oops”)

  54. function  get_oauth_params_from_auth_header(env)      env  =  env  or  ngx  

       local  auth_hdrs  =  env.req.get_headers()["Authorization"]      ...

  55. function  TestRequest:test_retrieve_oauth_params_from_header()      local  header  =  [[Oauth  realm="example.com",  ]]

             ..  [[oauth_consumer_key="mykey",]]          ..  [[oauth_version="1.0"]]      local  ngx  =  StubNgx:new({  Authorization  =  header  })      local  res  =  get_oauth_params_from_auth_header(ngx)      assertEquals("1.0",  res.oauth_version)      ...
  56. None
  57. None

  58. test harness

  59. test harness

  60. test harness

  61. test harness

  62. test harness nginx-­‐oauth1.conf

  63. test harness nginx-­‐oauth1.conf

  64. test harness nginx-­‐oauth1.conf

  65. def  spec_using_valid_oauth_credentials(self,  harness):          auth  =  OAuth1("mykey",

     "mysecret")          body_data  =  "{'function':  'tick'}"          harness.reset_data()          response  =  requests.post(root_url,  data=body_data,  auth=auth,                                                            headers={'Content-­‐Type':                                                                              'application/json'})          assert  response.status_code  ==  200          assert  "Authorization"  in  harness.forwarded_headers          assert  "Oauth"  in  harness.forwarded_headers["Authorization"]          assert  harness.forwarded_body  ==  body_data  

  66. Deployment

  67. None

  68. Configs in VCS Playbooks in VCS

  69. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS

  70. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS

  71. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  72. Configs in VCS config templates API configs vault
 (keys) Playbooks

    in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  73. Configs in VCS config templates API configs vault
 (keys) ssh

    Playbooks in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  74. Configs in VCS config templates API configs vault
 (keys) ssh

    Playbooks in VCS vip.conf vhost.lua vhost.conf vhost.conf vhost.lua nginx.conf

  75. Results

  76. Performance

  77. switch Performance

  78. switch mean 99th Performance

  79. switch ~10x mean 99th Performance

  80. Stability

  81. switch Stability

  82. Impact index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =  request_time

     -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d)

  83. Impact seconds index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =

     request_time  -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d)

  84. Impact seconds index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =

     request_time  -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d) 99th

  85. Impact seconds index=codebig  host=*.cimops.net  source="/var/log/nginx/access.log"  |   eval  d  =

     request_time  -­‐  upstream_response_time  |  
 timechart  span=1m  perc99(d)  max(d) 99th max

  86. Successes

  87. Successes great performance improvements

  88. Successes great performance improvements 68 endpoints in August

  89. Successes great performance improvements 68 endpoints in August ~150 endpoints

    in September

  90. Challenges

  91. Challenges 3rd-party Lua ecosystem

  92. Challenges 3rd-party Lua ecosystem deployment playbook churn

  93. Challenges 3rd-party Lua ecosystem deployment playbook churn configuration file size

  94. Challenges 3rd-party Lua ecosystem deployment playbook churn configuration file size

    kernel tuning

  95. Challenges 3rd-party Lua ecosystem deployment playbook churn configuration file size

    kernel tuning owning availability

  96. Conclusion

  97. Conclusion NGINX + Lua for HTTP middleware

  98. Conclusion NGINX + Lua for HTTP middleware Automated test and

    deployment pipeline

  99. Conclusion NGINX + Lua for HTTP middleware Automated test and

    deployment pipeline Concurrent request limiting

  100. Conclusion NGINX + Lua for HTTP middleware Automated test and

    deployment pipeline Concurrent request limiting Operational flexibility

  101. Thanks